Showing posts with label thunderbird. Show all posts
Showing posts with label thunderbird. Show all posts

2024/04/23

thunderbird vs self-signed certs

A default dovecot install on AlmaLinux 9 creates a self-signed SSL certifiate. Thunderbird is now very picky about SSL certs. It used to tell you a certificate wasn't valid and allow you to create an exception. Now it just spins and does nothing. You will see the following in your dovecot logs:

Apr 23 18:47:42 sHOST dovecot[12484]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=CLIENTIP, lip=HOSTIP, TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42, session=<BNl+V8sWFOgKAAAF>

I spent 4-5 hours running around in circles to try and find a solution

First step is to import the key, tell dovecot to listen on port 443 (https) by adding the following lines to the service imap-login stanza in /etc/dovecot/conf.d/10-master.conf:

#service imap-login {
  inet_listener https {
    port = 443
    ssl = yes
  }

Note that you could also set up lighttpd to serve up the cert.

Restart dovecot with: 

systemctl restart dovecot

Test the above with: 

openssl s_client -connect YOURHOST:443

Then, in Thuderbird, you go into Hamburger > Preferences > Privacy & security > (scroll way down) > Manage Certificates... In the Certificate Manager window, you select the Servers tab and click Add Exception... and enter https://YOURHOST:443. Then click on Get Certificate and Confirm Security Exception.

We now have an exception for YOURHOST:443, but we want YOURHOST:993 (if you are using SSL/TLS) or YOURHOST:143 (if you are using STARTTLS). To fix the port number, you need to close Thunderbird, then modify the Thunderbird profile directly. Under Linux, this is ~USER/.thunderbird/SOMETHING-NON-OBVIOUS. I had a half dozen directories. To find the one you want:

cd ~/.thunderbird
find . -name cert_override.txt | xargs ls -l --sort=time

The most recently modified file is the one you want to edit.

YOURHOST:443    OID.2.16.840.1.101.3.4.2.1      HEX-STRING-HERE U       BASE64-STRING-HERE

Change the :443 on that line to :993 (for SSL/TLS) or :143 (for STARTTLS).

You can confirm you have the correct line by comparing the HEX-STRING-HERE with your dovecot cert's SHA256 fingerprint:

openssl x509 -sha256 -in /etc/pki/dovecot/certs/dovecot.pem -noout -fingerprint
Posted by at No comments:
File under , , , , ,

2017/08/29

Far to many spelling options in Thunderbird and Firefox

Mozilla projects offer to check the spelling in every language installed on your computer. Which is great, except I don't need South African English, nor will I ever use Swiss French. And wading through the 20 items in the menu to switch from Canadian English to Québecois French is annoying.

And there is no easy way to fix this.

The hard way is to go into /usr/share/myspell and remove all the .dic and .aff files you don't want.

$ sudo su -
Password for fil@scott: 
# cd /usr/share/myspell/
# mkdir NOT
# mv *.dic *.aff NOT
# ln -s NOT/fr_CA.aff
# ln -s NOT/fr_CA.dic
# ln -s NOT/en_CA.aff
# ln -s NOT/en_CA.dic
Restart Thunderbird and you will now have 2 spelling options.

Yes, these changes are system-wide. There is currently no other way to do it, apparently.

Posted by at No comments:
File under , , , , ,
Subscribe to: Posts (Atom)